$30 off During Our Annual Pro Sale. View Details »

NTC 2018: Securing Your Website with HTTPS

NTC 2018: Securing Your Website with HTTPS

Co-presented with Ben Byrne: https://www.slideshare.net/drywallbmb/presentations

There is a growing appetite for the ability to browse the web securely. Trends clearly show that the public’s tolerance for the non-secure-site-as-default is waning fast. Increasingly, sites that are not secure get called out publicly by users via social media channels; they cannot achieve higher search engine rankings, and they become vulnerable to security breaches and lawsuits.

If your organization is not serving its public-facing and internal sites over HTTPS, then you will want to come learn more about what HTTPS is, why your organization needs it, and how to make the case for this method of encryption back at the office.

Come learn about:

* The difference between HTTP and HTTPS
* The benefits and challenges of getting your site on HTTPS
* Free tools and services
* Tips and best practices when planning for and implementing HTTPS
* How to garner support for the switch inside your organization

This session will be designed for our non-technical colleagues. It will be delivered in plain language and there will be a generous amount of time left for questions and answers.

Learning Objectives

* Understand browser privacy and the current trend toward browser encryption, and differences between security and privacy
* Review the steps to switch to HTTPS, ways to mitigate risk, and the tools and services available to you
* Learn how to make a solid case for HTTPS inside your organization

Katherine White

April 12, 2018
Tweet

More Decks by Katherine White

Other Decks in Technology

Transcript

  1. SECURING YOUR WEBSITE
    WITH HTTPS
    WHAT IT IS AND WHY YOU NEED IT — NOW
    #18NTCHTTPS
    04/12/2018
    Ben Byrne, Cornershop Creative

    Katherine White, Kanopi Studios

    View Slide

  2. GETTING STARTED
    JOIN THE CONVERSATION
    ▸ Online: #18NTChttps
    ▸ Collaborative Notes: http://po.st/18NTChttps
    ▸ Here and now

    View Slide

  3. GETTING STARTED
    WHAT WE’LL DISCUSS
    ▸ What is HTTPS?
    ▸ HTTPS Myths
    ▸ Security, Privacy, and the Public
    ▸ Why to update NOW
    ▸ Benefits and Challenges
    ▸ Steps to Implement HTTPS

    View Slide

  4. GETTING STARTED
    ABOUT US
    ▸ Ben Byrne
    ▸ Co-founder of Cornershop Creative
    ▸ Lives in Santa Rosa, CA
    ▸ Katherine White
    ▸ Director of Engineering at Kanopi Studios
    ▸ Lives in Austin, TX

    View Slide

  5. WHAT IS HTTPS?

    View Slide

  6. HYPERTEXT TRANSFER
    PROTOCOL SECURE

    View Slide

  7. SECURE ONLINE COMMUNICATIONS HAPPEN
    WHEN AN SSL CERTIFICATE ISSUED BY A
    CERTIFICATE AUTHORITY ENABLES A SITE TO
    TRANSFER ENCRYPTED CONTENT OVER A
    SECURE PROTOCOL.

    View Slide

  8. CERTIFICATES
    WHAT IS HTTPS?

    View Slide

  9. WHAT IS HTTPS?
    “SSL” CERTIFICATES
    ▸ Digital certificate that authenticates the identity
    of a website
    ▸ It isn’t actually “SSL” any more, but the term 

    has stuck
    ▸ Contains information about the certificate
    holder and authority

    View Slide

  10. View Slide

  11. WHAT IS HTTPS?
    “SSL” CERTIFICATE TYPES
    ▸ Single Domain Certificates
    ▸ Multi-Domain Certificate (MDC)
    ▸ Wildcard Certificate
    ▸ CAs cannot issue all types at all levels

    View Slide

  12. WHAT IS HTTPS?
    “SSL” CERTIFICATE LEVELS
    ▸ Extended Validation (EV) Certificates
    ▸ Highest level of security
    ▸ Rigorous validation process by the CA
    ▸ Organization Validated (OV) Certificates
    ▸ Domain Validated (DV) Certificates
    ▸ The most common certificate level
    ▸ Ensures the domain is controlled by the certificate requestor

    View Slide

  13. IT’S THE PADLOCK 

    THAT MATTERS.

    View Slide

  14. CERTIFICATE AUTHORITIES
    WHAT IS HTTPS?

    View Slide

  15. WHAT IS HTTPS?
    WHAT IS A “CERTIFICATE AUTHORITY” (CA)?
    ▸ Trusted third-party organization
    ▸ Certifies a website (and the organization behind it) is
    who it says it is
    ▸ “Trusted” is defined by web browsers and operating
    systems

    View Slide

  16. ENCRYPTION
    WHAT IS HTTPS?

    View Slide

  17. WHAT IS HTTPS?
    ENCRYPTION KEYS
    ▸ Symmetric vs Asymmetric
    ▸ Private Key - encrypts content so it cannot be read
    in transit
    ▸ Public Key - decrypts content when it reaches its
    destination
    ▸ Public Key is available on your SSL Certificate
    ▸ Private Key exists only on the server

    View Slide

  18. WHAT IS HTTPS?
    THE “HANDSHAKE”
    ▸ Client says “hello” - tells the server what it can
    handle
    ▸ Server says “hello” back - tells the client what
    encryption details will be used
    ▸ Client checks out the server’s SSL Certificate
    ▸ Keys are exchanged
    ▸ Single symmetric key is established for the
    duration of the conversation

    View Slide

  19. WHAT IS HTTPS?
    ENCRYPTION ALGORITHMS
    ▸ This is not a technical talk!
    ▸ The way keys are encrypted for exchange
    ▸ RSA is the most common, and there are lots of RSA
    cipher suites
    ▸ Encryption is a giant study in acronyms (RSA, SHA,
    AES, DES…)
    ▸ Used to generate your private and public keys
    based on your certificate type
    Phew.
    openssl req -new -sha256
    -key www.example.com.key
    -out www.example.com.csr

    View Slide

  20. POSTCARDS
    HOW IT WORKS

    View Slide

  21. PROTOCOLS
    WHAT IS HTTPS?

    View Slide

  22. WHAT IS HTTPS?
    WHAT ARE SSL AND TLS?
    ▸ Protocols are a set of rules
    ▸ Defines the steps taken during the “handshake” process
    ▸ Steps are focused on ensuring the communication is secure
    ▸ SSL: Secure Sockets Layer - older, now prohibited
    ▸ TLS: Transport Layer Security - the modern standard
    ▸ People still use the terms interchangeably

    View Slide

  23. WHAT IS HTTPS?
    USING HTTP STRICT TRANSPORT SECURITY (HSTS)
    ▸ Forces a browser to ONLY use HTTPS to interact with the site
    ▸ Security policy that mitigates some kinds of attacks
    ▸ Sent by the server
    ▸ Recommended for the most secure implementation
    ▸ Comes after getting your certificate set up

    View Slide

  24. SECURE ONLINE COMMUNICATIONS HAPPEN
    WHEN AN SSL CERTIFICATE ISSUED BY A
    CERTIFICATE AUTHORITY ENABLES A SITE TO
    TRANSFER ENCRYPTED CONTENT OVER A
    SECURE PROTOCOL.

    View Slide

  25. HTTPS MYTHS

    View Slide

  26. IT SECURES YOUR SITE
    MYTH #1

    View Slide

  27. IT SECURES YOUR SERVER
    MYTH #2

    View Slide

  28. IT AFFECTS PERFORMANCE
    MYTH #3

    View Slide

  29. YOU WON’T GET HACKED
    MYTH #4

    View Slide

  30. IT ENSURES USER PRIVACY
    MYTH #5

    View Slide

  31. IT IS ALL OR NOTHING
    MYTH #6

    View Slide

  32. IT’S EXPENSIVE
    MYTH #7

    View Slide

  33. PUBLIC PERCEPTION
    WHY IT MATTERS

    View Slide

  34. A MAJORITY OF AMERICANS (64%) HAVE
    PERSONALLY EXPERIENCED A MAJOR DATA
    BREACH.
    Pew Research Center, 2017
    WHY IT MATTERS

    View Slide

  35. ROUGHLY HALF OF AMERICANS (49%) FEEL THAT
    THEIR PERSONAL INFORMATION IS LESS SECURE
    THAN IT WAS FIVE YEARS AGO.
    Pew Research Center, 2017
    WHY IT MATTERS

    View Slide

  36. AMERICANS CONSISTENTLY LACK
    CONFIDENCE IN THE SECURITY OF
    EVERYDAY COMMUNICATION
    CHANNELS AND THE ORGANIZATIONS
    THAT CONTROL THEM –
    PARTICULARLY WHEN IT COMES TO
    THE USE OF ONLINE TOOLS.
    Pew Research Center, 2016

    View Slide

  37. Pew Research Center, 2014

    View Slide

  38. WHY IT MATTERS
    SOCIAL MEDIA
    ▸ Users are increasingly calling
    out organizations that do not
    have secure sites
    ▸ Especially applies to logins and
    financial transactions
    ▸ Will only increase with Chrome
    move in July (55% of browser
    use)

    View Slide

  39. SECURITY IS
    NOT PRIVACY

    View Slide

  40. WHY NOW?
    THE TREND TOWARDS SECURITY

    View Slide

  41. LET’S ENCRYPT
    2014 - HTTPS EVERYWHERE

    View Slide

  42. IT’S FREE FOR
    MOST SITES!

    View Slide

  43. ALMOST 80% OF US WEB
    TRAFFIC IS ENCRYPTED
    https://letsencrypt.org/stats/

    View Slide

  44. GOOGLE IS COMING FOR YOU
    JULY 2018

    View Slide

  45. BENEFITS
    HTTPS

    View Slide

  46. PROTECTS USERS
    SECURITY

    View Slide

  47. PROTECTS ADMINISTRATORS
    SECURITY

    View Slide

  48. BROWSER WARNINGS
    PERCEPTION

    View Slide

  49. HIGHER CONVERSIONS
    TRUST

    View Slide

  50. BETTER RANKINGS
    SEO

    View Slide

  51. APP-LIKE FEATURES
    TECHNOLOGY

    View Slide

  52. CHALLENGES
    HTTPS

    View Slide

  53. ALL CONTENT ON THE SITE
    COMPREHENSIVENESS

    View Slide

  54. COST
    EFFORT

    View Slide

  55. STAKEHOLDERS
    SKEPTICISM

    View Slide

  56. DECISIONS
    COMPLEXITY

    View Slide

  57. THE PROCESS
    STEP BY STEP

    View Slide

  58. BACK UP EVERYTHING.
    THEN DO IT AGAIN.

    View Slide

  59. IDENTIFY YOUR DOMAINS
    STEP 1

    View Slide

  60. STEP 1: IDENTIFY YOUR DOMAINS
    TIPS
    ▸ Determine your strategy for managing subdomains,
    especially if you have a large network of sites
    ▸ If it is only a few subdomains, it’s straightforward to add
    them to a single Multi-Domain Certificate (MDC)
    ▸ Let’s Encrypt now supports wildcard certificates

    View Slide

  61. FIND A CERTIFICATE PROVIDER
    STEP 2

    View Slide

  62. STEP 2: FIND A CERTIFICATE PROVIDER
    TIPS
    ▸ Determine the level and type of certificate(s)
    needed by your organization
    ▸ See what relationships your hosting provider
    may already have
    ▸ Let’s Encrypt offers free Domain Validated
    certificates for sites

    View Slide

  63. STEP 2: FIND A CERTIFICATE PROVIDER
    TOOLS
    ▸ Let’s Encrypt - https://letsencrypt.org/
    ▸ CloudFlare - https://www.cloudflare.com/ssl/
    ▸ Comodo - https://www.comodo.com/
    ▸ GlobalSign - https://www.globalsign.com/
    ▸ …and many others

    View Slide

  64. GET & INSTALL CERTIFICATE(S)
    STEP 3

    View Slide

  65. STEP 3: GET & INSTALL CERTIFICATE(S)
    TIPS
    ▸ Check with your hosting provider — many
    have built-in support
    TOOLS
    ▸ Certbot (uses Let’s Encrypt) https://certbot.eff.org/
    ▸ https://www.eff.org/https-everywhere/deploying-https

    View Slide

  66. UPDATE URLS
    STEP 4

    View Slide

  67. STEP 4: UPDATE URLS
    ASSET CHECKLIST
    ▸ Fonts
    ▸ Images
    ▸ Scripts & Stylesheets
    ▸ Social media
    ▸ Embedded media (audio, video)
    ▸ Iframes
    ▸ Tracking scripts like CRM and analytics tools

    View Slide

  68. STEP 4: UPDATE URLS
    TIPS
    ▸ Think about links between your site content as well as links to
    your assets
    ▸ Ensure all form submissions, including those embedded from
    third-party tools, are using HTTPS
    ▸ Assets served from a CDN must also be secured, if applicable
    ▸ Tools included by your third party tools affect you, too

    View Slide

  69. STEP 4: UPDATE URLS
    TOOLS
    ▸ Chrome Lighthouse 

    https://developers.google.com/web/tools/lighthouse/
    ▸ Why no Padlock? 

    https://www.whynopadlock.com/

    View Slide

  70. VERIFY HTTPS WORKS
    STEP 5

    View Slide

  71. STEP 5: VERIFY HTTPS WORKS
    TIPS
    ▸ Validate your configuration after you deploy your
    certificate to make sure everything is set up correctly
    ▸ Run another content scan (see the Step 5 tools) to be
    sure all URLs have been converted
    ▸ Don’t require HTTPS (Step 6) until everything works
    the way you want it to

    View Slide

  72. STEP 5: VERIFY HTTPS WORKS
    TOOLS
    ▸ SSL Labs - https://www.ssllabs.com/
    ▸ DigiCert configuration check - https://www.digicert.com/help/
    ▸ Comodo SSL analyzer - https://sslanalyzer.comodoca.com/
    ▸ Chrome Lighthouse - https://developers.google.com/web/tools/
    lighthouse/

    View Slide

  73. FORCE HTTPS WITH REWRITES
    STEP 6

    View Slide

  74. STEP 6: FORCE HTTPS
    TIPS
    ▸ Your web host should provide platform-specific
    documentation
    ▸ Some have an automated implementation
    ▸ Usually managed at the web server level
    ▸ Now’s a good time to update Google Webmaster
    Tools/Search Console

    View Slide

  75. IMPLEMENT HSTS
    STEP 7

    View Slide

  76. STEP 7: IMPLEMENT HSTS
    TIPS
    ▸ Start with a short time-to-live (TTL) of 5 minutes; increase this in
    stages (one week and one month)
    ▸ Once your testing is complete, consider HSTS Preloading
    ▸ Adds you to a global list of hosts who enforce HSTS that is built in to a browser
    ▸ Reduces any vulnerability that comes with the first request to a site
    ▸ Requires that all your subdomains use HTTPS
    ▸ Submit a preload request (and read the requirements):

    https://hstspreload.org/

    View Slide

  77. CELEBRATE
    STEP 8

    View Slide

  78. WRAP UP
    THANK YOU!
    ▸ Provide your feedback: http://po.st/FTOiLr
    Ben Byrne
    Founder & Chief Creative Officer

    Cornershop Creative

    [email protected]
    @drywall
    Katherine White

    Director of Engineering

    Kanopi Studios

    [email protected]
    @katherinemwhite

    View Slide

  79. FOOD FOR THOUGHT
    YOUR PERSPECTIVE
    ▸ What is your biggest concern with moving to HTTPS?
    ▸ What horror stories have you heard, or lived through?
    ▸ Are there ways you feel HTTPS will impact your site that we haven’t
    talked about?

    View Slide